new proxyshell post-exploitation activity

New ProxyShell Post-exploitation Activity

IntroductionSince mid-August, FortiGuard Responder team has observed significant spikes in exploitation of the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) across the globe. Due to the functionality accessed through successful exploitation of these vulnerabilities ‘fast tracking’ adversaries through the kill chain and the volume of like activity, attribution of such activity is difficult.

While most post-exploitation activity mirrored that seen earlier in the year following the widespread ProxyLogon exploitation, the FortiGuard Responder team identified a number of new post-exploitation TTPs and malware samples not previously associated with Exchange exploitation. This activity was also observed in FortiGuard Managed Detection and Response customer environments across the globe. In these FortiEDR protected environments, these attacks were detected and mitigated early, preventing the various threat actors from using the access gained from exploiting these known vulnerabilities to perform significant actions.

The purpose of this article is to demonstrate a clear example of FortiEDR’s ability to effectively mitigate against previously unknown malware in the wild and provide practical guidance on how to best configure and operate FortiEDR to get the best protection.

Affected PlatformsWindows Endpoints, Vulnerable Microsoft Exchange Servers

Threat TypeCryptomining

Impacted UsersWindows users

ImpactCryptocurrency mining by taking advantage of the compromised system resources

SeverityMedium

Kill Chain

PRE-ATT&CK

INCREASING SPEED, COMPLEXITY, AND RISK

ATT&CK

Reconnaissance Delivery Installation Action on Objectives

Weaponization Exploitation Command & Control

Open-source research

e.g. Shodan

Crafted web requests

Microsoft Exchange 2016

Server

Drop web shells embedded in PST file

IIS Webroot (owa, ecp, aspnet_client)

Deploy crypto mining software

XMRig Monero miner

Customize open-source ProxyShell POC

exploit

ProxyShell exploitation

Microsoft Exchange 2016

Server

Standard web traffic

Unknown IPS

1


2

The use of web shells in this format is indicative of ProxyShell exploitation. IOCs associated with the initial exchange exploitation are outlined at the bottom of this article.

Following initial access, the embedded web shell was the primary means of communication employed by the actor. Post requests interacting with the web shell were fixed to a set of 5 IPs and 30 unique user agents over the course of the month-long intrusion indicating low turnover of infrastructure and automation of requests. The structure of the web shell code matches that expected from China Chopper usage. The use of web shells in this configuration allows child processes spawned during command execution to be executed as ‘Local System’, automatically granting privileged access to the compromised webserver.

IOCs associated with observed web shell traffic are outlined at the bottom of this article.

This activity was observed in an Australian customer’s environment (legal services) starting on 25 September 2021 and is linked to an unattributed group that use access gained through exploitation of the ProxyShell vulnerabilities to deploy cryptomining software into compromised hosts. This group was also observed using lateral movement to deploy cryptomining software throughout the compromised network. In this case, the customer’s security policy was set to ‘Simulation’, which only tags events that would have been mitigated rather than enforcing mitigations. If FortiEDR had been in ‘Protection’ mode, it would have mitigated all detected activity outlined below.

Initial Access, Execution, and Privilege EscalationThe group use ProxyShell as their initial access to drop Microsoft Outlook Folder files saved as .aspx files. These files contain fully functioning embedded web shells; an example is shown below:

Figure 1: Anomalous .pst file header in .aspx file.

Figure 2: Example web shell embedded in .pst file saved as .aspx file.


3

Post-exploitation Execution and PersistenceUsing their web shell access, the group was observed dropping a number of files into the exchange server’s Temp directory (C:\Windows\Temp). Of note, multiple .tmp files and two executables ‘RAR.exe’ and ‘set.exe’.

This path and format for the two temp files was likely chosen as a defensive evasion technique. The w3wp process regularly writes .tmp files as part of its normal operation, meaning that a SOC would be unlikely to monitor .tmp file writes from the process or they would be omitted from a search. However, looking for .tmp file writes by w3wp.exe where the write path was C:\Windows\Temp allows for the detection of similar events. Using the Threat Hunting feature of FortiEDR, we can build search queries that allow us to quickly scope other similar behavior, artifacts, and IOCs throughout the compromised environment.

Figure 3: Threat Hunting search for all .tmp files created by the ‘w3wp.exe’ process in the ‘C:\Windows\Temp’ folder.

Figure 4. Threat Hunting search for all .exe files created by the ‘w3wp.exe’ process in the ‘C:\Windows\Temp’ folder.


4

Static analysis of the “RAR.exe” executable validates that it takes two input files as arguments and decodes and executes them in memory.

Both the ‘RAR.exe’ and ‘set.exe’ executables are unsigned .NET executables flagged by FortiEDR as ‘Unconfirmed Executable’. Executables that are classified as unconfirmed contain additional fields not used by the operating system that are often present in malware to complicate execution and reduce the effectiveness of automated analysis. It is important to note here that at the time of detection this file was entirely unknown, i.e., the hash was not flagged as malicious. Using the FortiEDR Forensics tab we can see that the RAR.exe process detected in the above event was spawned with a simple command argument that lists two of the downloaded .tmp files.

Figure 5: FortiEDR Event Graph showing malicious event caused by RAR.exe behavior.

Figure 6: FortiEDR Stacks view in the Forensics tab showing command line information for the RAR.exe process. Notice the reference to two .tmp files located in the C:\Windows\Temp directory.


5

Looking at the redirect function shown above in Figure 6, it should be noted that the RAR.exe executable deletes the encrypted payloads following successful execution. From the code snippet in Figure 7 above, we can see that the executable uses a hardcoded AES key and IV to decode the encrypted payloads.

Figure 7: “Redirect” function of the RAR.exe executable showing how command line arguments are processed, subsequent decompression and decryption processes, and file deletion following execution.

Figure 8: “Decrypt” and “Decompress” functions within the RAR.exe. Note hardcoded AES key and IV.


6

To run the decoded payload, the RAR.exe process spawns a rundll32.exe child process that is hollowed and injected with the payload. This behavior is detected by two rules in the FortiEDR Exfiltration Prevention Policy: ‘Process Hollowing – Process Code Was Replaced’ and ‘Unmapped Executable – Executable File Without a Corresponding File System Reference’. This can be seen in ‘Section 8 Access’ of Figure 5.

Other than providing the functionality to load encrypted payloads into memory, the RAR.exe file has no other functionality. Searching through VirusTotal using content unique to this sample, we can identify three other (four total) files with the exact same characteristics. The submissions are from U.S., China, Netherlands, Italy, and Australia, which indicates that this was likely a global campaign.

FortiEDR also analyzes in memory payloads and identified the in-memory executable loaded through the RAR.exe launcher during the observed intrusion as a Monero miner. This information can be viewed through the Forensics tab of FortiEDR.

Figure 9: Outcome of VirusTotal search for hardcoded AES key and IV in file content identified 4 variants of the same file (including the variant we detected).

Figure 10: FortiEDR Automated Analysis view in Forensics tab showing details of the automated sandbox analysis and data enrichment from FortiGuard Labs Threat Intelligence.

FortiEDR also identified network connections from the hollowed rundll32.exe process to three external IP addresses: 104.140.244.186, 199.247.27.41, and 178.128.242.134. Fortinet Cloud Services automatically integrates with FortiGuard Labs Threat Intelligence to enrich observed endpoint activity. In Figure 10 above we can see that FortiGuard Labs has tagged the communicating IP (104.140.244.186) as malicious. To get more information on the tagged IP, we can use FortiGuard Labs Central Threat System (CTS) to look up the flagged IP.


7

Figure 11: FortiGuard Central Threat System (CTS) information on the ‘104.140.244.186’ IP.

Figure 12: Pre-execution detection of ‘set.exe’ as malicious. The hash of this file is still unknown on VT but FortiEDR was able to correctly classify the file based on machine learning and sandbox execution.

As shown in Figure 11 above, we can see that the IP shows clear indicators of being a part of a Monero (cryptocurrency) mining pool. Both other noted IPs have similar domain history.

Lateral Movement, Persistence, and ImpactThe ‘set.exe’ file was dropped ten days after the initial intrusion through the same embedded web shell on the exchange server (see Figure 4 for Threat Hunting File Create event). This file was then executed through the web shell. Despite the file not having a known hash, machine learning and the sandbox employed as part of FortiEDR Automated Analysis assessed the sample as having a high likelihood of being malicious and it was flagged by FortiEDR Execution Prevention policy as malicious. If FortiEDR had been in Protect mode at the time of execution, this event would have been effectively blocked.


8

Analysis through FortiEDR Threat Hunting quickly identifies that the set.exe process accepted an executable file path as its argument. In this case the executable was another malicious file hosted on a local share called ‘service_update.exe’, also dropped through the web shell. The set.exe executable then created a scheduled task called ‘SyncConfigTask’ in the ‘\Microsoft\Windows\SyncCenter\’ folder that would run the executable at the file path provided as a command line argument. Additionally, the executable pushed group policy to the local domain that created the same scheduled task and all domain endpoints. This path for the scheduled task is significant as this path is used for OneDrive synchronization tasks (more on this later). Analysis of the ‘service_update.exe’ file shows that it contains the same ‘Decompress’ and ‘Decrypt’ functions as the ‘RAR.exe’ file with different AES key and IV. Code snippet from ‘service_update.exe’ below:

Figure 13: Decrypt and Decompress functions in the ‘service_update.exe’ executable match those found in ‘RAR.exe’ with a different hardcoded AES key and IV.

Functionally, the “service_update.exe” file is similar to “RAR.exe” except that the encrypted payloads stored in the .tmp files provided to “RAR.exe” on execution are instead embedded as resources in the “service_update.exe” executable. On execution, the file creates and executes a file called “FileSyncConfig.exe” in the ‘C:\Windows\System32’ directory. This file is another variant of the XMRig Monero mining software. This filename is significant as this is the same filename as the OneDrive executable used for OneDrive synchronization. This matches up with the scheduled task name and location used to run the executable and shows a clear intent to disguise itself as a legitimate service.

FortiEDR Execution Policy detected execution of this file throughout the domain as group policy was synced, as can be observed in the events in Figure 14.


9

ConclusionLike with previous events, FortiEDR would have mitigated this lateral movement and associated file creation and execution events if it were configured in Protect mode even under the default security policy configuration. Additionally, FortiEDR playbooks could be configured to remove malicious files such as ‘RAR.exe’ and ‘set.exe’ prior to execution. This level of automation allows for the removal of threats and the mitigation of kill chain pathways before stored information or key services are at risk.

Associated Threat Hunting QueriesThe following Threat Hunting queries can be used in FortiEDR environments running v5+ and appropriately comprehensive threat-hunting policies.

Process Creation Events

To detect rundll32 processes spawned by child processes of IIS worker process. Very low false-positive rate for standard Exchange 2016 installs, TTPs and indicators not unique to discussed actor.

Type:”Process Creation” AND Source.Process.Parent.Path:”w3wp.exe” AND Target.Process.Name:”rundll32.exe”

To detect execution of any executable files associated with this intrusion. Negligible false positive (except for hash overlap). Indicators specific for observed actor. Note: TTPs outlined in this article indicate that actor can easily change hash value. This query is best used to determine if you have had historical activity similar to that discussed above.

Type:”Process Creation” AND (Target.Process.File.SHA1:”2AC9A1CD9F66F452DB92CA4B4911D21B207C63E2” OR Target.Process.File.SHA1:”00E567EDE5398B7DCF6071E074B7D72D49467080” OR Target.Process.File.SHA1:”69CE16D57E3386CAB9DA1526BF12586982B7D937” OR Target.Process.File.SHA1:”5C13CEF8A4E8ACBE77C37E1C7163957CD363EC37” OR Target.Process.File.SHA1:”7AC41164E4A6309458B12CCB5B7A7CB3A5F8B250” OR Target.Process.File.SHA1:”264D9EC54347C94649212E6ADAA7A5D62499561E” OR Target.Process.File.SHA1:” 126864042A82B206369A36A5EDE27F1DF8E36B6E”)

Figure 14. Multiple compromised hosts on the targeted network. The threat-hunting query used to scope affected hosts is also available in the ‘Associated Threat Hunting Queries’ section at the end of this document.


10

File Creation Events

To detect anomalous .tmp files created by the IIS worker process. Low false-positive rate in standard Exchange 2016 install, TTP and indicators not unique to discussed actor. Validate hits by checking other activity around the same time.

Type:”File Create” AND Source.Process.Name:”w3wp.exe” AND Target.File.Ext:”tmp” AND Target.File.Path:(“C:\\Windows\\Temp\\”)

To detect executables being created by the IIS worker process. Very low false-positive rate in standard Exchange 2016 install, TTP and indicators not unique to discussed actor.

Type:”File Create” AND Source.Process.Name:”w3wp.exe” AND Target.File.Ext:”exe”

To detect creation of clr log files generated when a .NET executable is executed where the executed .NET executable is located in the temp directory. Very low false positive rate in standard Exchange 2016 install, TTP and indicators not unique to discussed actor but will detect anomalous execution of .NET executables from the temp directory.

Type:”File Create” AND Target.File.Ext:”log” AND Target.File.Path:(“Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\”) AND Source.Process.File.Path: (“Windows\\Temp”)

To detect file creation of any files associated with this intrusion. Negligible false positive (except for hash overlap). Indicators specific for observed actor. Note: TTPs outlined in this article indicate that actor can easily change hash value. This query is best used to determine if you have had historical activity similar to that discussed above.

Type:”File Create” AND (Target.File.SHA1:”2AC9A1CD9F66F452DB92CA4B4911D21B207C63E2” OR Target.File.SHA1:”00E567EDE5398B7DCF6071E074B7D72D49467080” OR Target.File.SHA1:”69CE16D57E3386CAB9DA1526BF12586982B7D937” OR Target.File.SHA1:”5C13CEF8A4E8ACBE77C37E1C7163957CD363EC37” OR Target.File.SHA1:”7AC41164E4A6309458B12CCB5B7A7CB3A5F8B250” OR Target.File.SHA1:”264D9EC54347C94649212E6ADAA7A5D62499561E” OR Target.File.SHA1:”126864042A82B206369A36A5EDE27F1DF8E36B6E” OR Target.File.SHA1:”7E5770CCB55978DD2BA19ED45AE6195648EE2AF1” OR Target.File.SHA1:”731CF4684E6CC36E9F43704FAF65583BA24ADABE”)

Outline of MITRE Techniques ObservedTA0001: Initial Access

Technique ID Technique Description Observed Activity

T1190 Exploit Public-facing Application

The initial access method for this activity was exploitation of the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) present in Microsoft Exchange 2016. This access was used to drop web shells for C2 and to provide execution in the environment.

Mitigation Patches for the Microsoft Exchange vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 were released on 31 July 2021. Check Microsoft guidance for the correct patches to apply based on the desired version of Exchange. Patches are the most effective way of mitigating this TTP.

Deploy a web application firewall to prevent exploit traffic from reaching the application.

Scan web applications for common web vulnerabilities; fix or patch vulnerabilities that are discovered through scanning and through public disclosure.

Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation.

Fortinet Security Fabric Controls: FortiWeb, FortiPenTest, FortiClient, FortiDeceptor


11


T1505.003 Server Software Component: Web Shell

The actor used various web shells as their C2 method and their execution path. Web shells were China Chopper style web shells (simple Jscript and eval statements) embedded in .pst files saved as .aspx files.

Mitigation Patching the vulnerabilities that lead to web shells being dropped is the most effective mitigation. FortiEDR will provide protection from post-exploitation activity associated with web shells.

Some AV products such as FortiClient will provide protection from known web shells but web shells change regularly, so mitigating their behavior through an EDR product is the most effective long-term solution.

FortiWeb has a Web Shell Detection Policy that allows for the detection and mitigation for web shells and suspected web shell activity.

Fortinet Security Fabric Controls: FortiWeb, FortiClient, FortiEDR


T1053.005 Scheduled Task/Job: Scheduled Task

Scheduled tasks under the default OneDrive synchronization scheduled task folder ‘\Microsoft\Windows\SyncCenter\’ deployed through GP modification (see T1484.001) were used to execute a malicious executable stored in a network accessible share on the AD.

Mitigation Monitor event logging for scheduled task creation and changes (turn on the setting “Microsoft-Windows-TaskScheduler/Operational” within the event logging service).

Monitor scheduled task creation using EDR v5 threat-hunting feature. Look for the creation of task files in the default scheduled task path ‘C:\Windows\System32\Tasks’ or registry modifications for the following keys: ‘HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks’ and ‘HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tree’.

Fortinet Security Fabric Controls: FortiEDR, FortiSIEM, FortiSandbox


T1059.007 Command and Scripting Interpreter: JavaScript

The web shell employed as part of this intrusion uses JavaScript to execute received web shell commands. See Figure 2 for detail of the script.

Mitigation In this scenario, JavaScript was employed as part of dropped web shells so all mitigations for web shells are applicable (see T1505.003). FortiEDR will detect and block post-exploitation associated with JavaScript web shells.


Fortinet Security Fabric Controls: FortiWeb, FortiEDR

TA0002: Execution


12

TA0003: Persistence

TA0004: Privilege Escalation


T1505.003 Server Software Component: Web Shell

The actor used various web shells as their C2 method and their execution path.

Mitigation Patching the vulnerabilities that lead to web shells being dropped is the most effective mitigation. FortiEDR will provide protection from post-exploitation activity associated with web shells.

Some AV products such as FortiClient will provide protection from known web shells but web shells change regularly, so mitigating their behavior through an EDR product is the most effective long-term solution.




T1484.001 Domain Policy Modification: Group Policy Modification

The executable ‘set.exe’ was observed being used to push a Scheduled Task through a GPO update as part of this intrusion.

Mitigation Auditing GPOs regularly and minimizing users who have permissions to make changes to GPOs is the best way to mitigate this activity.

As demonstrated in this article, FortiEDR can be used to identify the artifacts associated with GPO changes and will mitigate malicious activity enabled through GPO.

Fortinet Security Fabric Controls: FortiEDR


T1053.005 Scheduled Task/Job: Scheduled Task

Scheduled tasks under the default OneDrive synchronization scheduled task folder ‘\Microsoft\Windows\SyncCenter\’ deployed through GP modification (see T1484.001) were used to execute a malicious executable stored in a network accessible share on the AD.





13


T1068 Exploitation for Privilege Escalation

The use of web shells allows for child processes of the web shell to be spawned with ‘Local System’ privileges giving almost full control of the compromised endpoint. In this intrusion, the compromised Exchange server was also the AD for the domain, effectively giving the adversary full control of the domain.

Mitigation See mitigations for T1505.003—Server Software Component: Web Shell.


TA0005: Defensive Evasion


T1140 Deobfuscate/Decode Files or Information

RAR.exe accepts two compressed and AES encrypted payloads stored as .tmp files as arguments containing a variant of XMRig Monero miner.

set.exe contains two resources that are compressed and encrypted in the same way with a different AES key and IV.

Mitigation Obfuscated and encoded payloads and data are difficult to detect consistently due to the numerous ways of implementing the TTP. FortiEDR supports in-memory analysis live on endpoints and through cloud sandboxing features. This functionality was able to detect deobfuscated payloads such as those employed in this intrusion and correctly categorize them as malicious.

Fortinet Security Fabric Controls: FortiEDR, FortiClient, FortiSandbox


T1564.001 Hide Artifacts: Hidden Files and Directories

set.exe, service_update.exe, and FileSyncConfig.exe are all hidden files.

Mitigation Monitoring the creation of hidden files in anomalous directories and with suspicious extensions such as ‘exe’ and ‘dll’.

FortiEDR treats hidden files as normal files and will detect malicious or suspicious files such as those employed in this intrusion.

Fortinet Security Fabric Controls: FortiEDR, FortiClient, FortiSIEM, FortiSandbox


T1070.004 Indicator Removal on Host: File Deletion

RAR.exe automatically deletes the .tmp files passed to it as arguments, likely so the payload they contain cannot be extracted and reversed.

Mitigation FortiEDR will detect file read attempts of malicious and suspicious files preventing file deletion attempt. This allows malicious and suspicious files to be retained for future analysis without introducing risk to endpoints.

Fortinet Security Fabric Controls: FortiEDR, FortiSandbox


14


T1036.004 Masquerading: Masquerade Task and Service

Scheduled task named ‘\Microsoft\Windows\SyncCenter\SyncConfigTask’ is used to appear as a legitimate part of the OneDrive service/application.



Fortinet Security Fabric Controls: FortiEDR, FortiSIEM, FortiSOAR, FortiSandbox


T1036.005 Masquerading: Match Legitimate Name or Location

XMRig variant dropped and executed by the ‘service_update.exe’ executable is named ‘FileSyncConfig.exe’ to match the legitimate OneDrive Configuration of the same name. Uses a different path than the legitimate executable though.

RAR.exe may have been chosen to be similar to the name of the portable WinRAR binary.

Mitigation Monitor file creation events for executables with known executable names in non-standard directories. SIEM products such as FortiSIEM are effective at analyzing large volumes of data such as all executable writes on endpoints throughout a domain.

FortiEDR threat hunting can also be used to identify file writes to restricted directories such as System32. Executable writes to this directory are rare outside the update cycle, minimizing the number of false positives.



T1027.001 Obfuscated Files or Information: Binary Padding

Binary padding has been used to change the hash of similar versions of RAR.exe identified through VirusTotal threat hunting (see Figure 9). This is likely to avoid hash-based detection and increase longevity of malware samples.

Mitigation Standard AV-style products are rarely effective against unknown malware. FortiEDR uses cloud sandboxing as part of its analysis, which allows for the detection of suspicious and malicious indicators outside of file hashes.



15


T1027.004 Obfuscated Files or Information: Compile After Delivery

RAR.exe compiles code from .tmp files on execution and set.exe uses a similar process to compile code embedded as encoded resources on execution.

Mitigation Standard AV-style products are rarely effective against unknown malware. FortiEDR uses cloud sandboxing as part of its analysis, which allows for the detection of suspicious and malicious indicators outside of file hashes.



T1055.012 Process Injection: Process Hollowing

The rundll32.exe process is hollowed as part of RAR.exe execution.

Mitigation Monitoring Windows API calls indicative of the various types of code injection. Look for DLLs that are not recognized or not normally loaded into a process.

Analyze process behavior to determine if a process performs actions it usually does not, such as network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.

Fortinet Security Fabric Controls: FortiEDR and FortiSandbox


T1055.002 Process Injection: Portable Executable Injection

Both RAR.exe and service_update.exe inject portable executables compiled at execution into memory. These executables are not mapped to disk and are detected and analyzed in memory by FortiEDR.

Mitigation Monitoring Windows API calls indicative of the various types of code injection. Analyze process behavior to determine if a process performs actions it usually does not, such as network connections, reading files, or other suspicious actions that could relate to post-compromise behavior.

FortiEDR policies detect in-memory executables that aren’t mapped to disk. These policies effectively detected the use of this technique employed during the above discussed intrusion.

Fortinet Security Fabric Controls: FortiEDR and FortiSandbox

TA0008: Lateral Movement


T1570 Lateral Tool Transfer The ‘service_update.exe’ file was hosted on a file share on the domain AD and accessed through a scheduled task from remote hosts.

Mitigation Monitor for anomalous executables hosted and written to file shares. Monitor file creation events for executables with known executable names in non-standard directories. SIEM products such as FortiSIEM are effective at analyzing large volumes of data such as all executable writes on endpoints throughout a domain.

FortiEDR threat hunting can also be used to identify file writes to restricted directories such as System32. Executable writes to this directory are rare outside the update cycle, minimizing the number of false positives.

Fortinet Security Fabric Controls: FortiEDR, FortiSIEM, FortiClient, FortiSandbox


16


T1021 Remote Services GPO updates were used to register a scheduled task on remote hosts. This scheduled task executed a malicious file hosted on a Windows file share on the AD.

Mitigation Auditing GPOs regularly and minimizing users who have permissions to make changes to GPOs is the best way to mitigate this activity.

As demonstrated in this article, FortiEDR can be used to identify the artifacts associated with GPO changes and will mitigate malicious activity enabled through GPO.

Fortinet Security Fabric Controls: FortiEDR


T1021.002 Remote Services: SMB/Windows Admin Shares

The ‘service_update.exe’ file was hosted on a file share on the domain AD and accessed through a scheduled task from remote hosts.

Mitigation Monitor for anomalous executables hosted and written to file shares. Monitor file creation events for executables with known executable names in non-standard directories. SIEM products such as FortiSIEM are effective at analyzing large volumes of data such as all executable writes on endpoints throughout a domain.


TA0040: Impact


T1496 Resource Hijacking The actions on objectives section of this intrusion was to deploy a variant of XMRig (Monero miner) on affected endpoints.

Mitigation Detecting spikes in CPU usage on endpoints are a good way of detecting cryptomining software. Cryptomining software is also fixed in its configuration when loaded into memory. FortiEDR uses cloud sandboxing and in-memory analysis and can effectively identify cryptomining software.



17

Indicators of Compromise

Indicator Description

Indicator Indicator TypeAssociated Tactic

Notes

Web Shell Hash (338209561.aspx)

T7E5770CCB55978DD2BA19ED45AE6195648EE2AF1 SHA1 Hash Command and Control, Initial Access

Primary web shell associated with above activity.

Web Shell Hash (253283293.aspx)

731CF4684E6CC36E9F43704FAF65583BA24ADABE SHA1 Hash Command and Control, Initial Access

Additional web shell with some indicator crossover with primary web shell.

RAR.exe Hash 2AC9A1CD9F66F452DB92CA4B4911D21B207C63E2 SHA1 Hash Persistence, Impact

.NET executable used to inject variant of XMRig (Monero miner) into rundll32.exe process. Written to ‘C:\Windows\Temp’.

set.exe Hash 126864042A82B206369A36A5EDE27F1DF8E36B6E SHA1 Hash Persistence, Lateral Movement

.NET executable used to modify GPO to load scheduled task across compromised domain. Written to ‘C:\Windows\Temp’.

service_update.exe Hash

00E567EDE5398B7DCF6071E074B7D72D49467080 SHA1 Hash Persistence, Lateral Movement

.NET executable containing an encrypted variant of XMRig (Monero miner). Written to file share on AD.

FileSyncConfig.exe Hash

69CE16D57E3386CAB9DA1526BF12586982B7D937 SHA1 Hash Impact Variant of XMRig (Monero miner). Written to ‘C:\Windows\System32’.

Web Shell C2 IP (Primary)

5.135.25[.]94 IP Address Command and Control, Initial Access

This IP address was seen interacting with associated web shell. This was the primary IP observed interacting with web shell related to above activity over the period 22 Sep – 06 Oct 21.

Web Shell C2 IP 23.81.140[.]53 IP Address Command and Control, Initial Access

This IP address was seen interacting with associated web shells.








Copyright © 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

www.fortinet.com

November 2, 2021 8:36 AM

1329707-0-0-EN

Additional Indicators

The following list of artifacts were not directly observed; however, they have significant overlap in atomic indicators to those observed as part of this intrusion. Note: These file hashes have not been added to the above threat-hunting queries, but it is recommended they are added where applicable for completeness.

Indicator Description

Indicator Indicator TypeAssociated Tactic

Notes

launch.exe Hash 5C13CEF8A4E8ACBE77C37E1C7163957CD363EC37 SHA1 Hash Persistence, Impact

Identical file structure, vHash, behavior, internal AES key and IV, activity period and contained resources as RAR.exe.

launch.exe Hash 7AC41164E4A6309458B12CCB5B7A7CB3A5F8B250 SHA1 Hash Persistence, Impact


launch.exe Hash 264D9EC54347C94649212E6ADAA7A5D62499561E SHA1 Hash Persistence, Impact


new proxyshell post-exploitation activity

Documents